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How does the device work? 


Everyone know what a microcell is? 

Web based interface to provision phone 
numbers that can connect to the device 

Configuration somehow pushed to device 

Only those phone numbers can connect 



Why? 


Dear Mathew, our cell service sucks - heres 
something for free that can do cool things 

Working at Interpidus Group - focus on 
mobile security 

I do not know much about hardware stuff 



Network Communication 


• HTTPs mutual authentication 

• IPSec tunnel 

• Multicast stuff 

• MITM? 
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• HTTP 

• IPSec 

• Multi 

• MITIV 







SECURITY 
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Disassembly: 
wuntee vs Microcell 

round 1 

• 2 screws under the bottom 
orange part 

• Orange part comes off 

• Two side panels come off 

• Single board connected to the 
grey portion 

• Rip them all off!! 
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wuntee vs Customer service 

round 1 

me: My microcell doesn't work anymore. I don't know what 
happened. 

service: Ok, let me pull up your account. What is your name, 
phone number, pets name, favorite food, grandmas middle 
name, etc. 

[10 minutes later] 

service: It seems like your account has the "tamper" flag set, 
did you drop the device at all? 

me: Nope, I just left for work and when I came back it wasn't 
working. The cleaning ladies may have messed with it. 

service: No problem, I will just put a note in here that we should 
replace it. Go to the store and as long as one is in stock they 
should replace it without asking any questions. 
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Disassembly: 
wuntee vs Microcell 

round 2 


• Went to Home Depot and purchased a thin 
saw 

• Removed bottom orange part 

• Sawed through the things attaching the 
jumpers 

• Removed outer cage 

• Powered on just fine 
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Hardware 
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Debug Pins 


• C541 

• JP1, JP2, JP5, JP6 

• PL1 

• PL2 
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wuntee vs debug pins 
round 1: C541 


Saleae Logic Analyzer 16 
Workflow 

1. Multimeter to determine ground and that saleae 
wont blow up 

2. Plug pins to analyzer and sample at high rate 

3. Start the Logic software and plug in the device 

4. Stop analyzer after you think some data has been 
transferee! 

5. Attempt to "Analyze" 
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DATA! 


Export the "analyzed" data to CSV, import to 
Excel, copy/paste into vi and manipulate 


'255''255''255''255''255''255''255''255''255''255''255''255''255''255''255''255 
''255''255''255''255''160''162''0'0'221'$GPGGA232354.755000M0.0M0000*50 

’239’’176'’179’'160''162''0'?'221'$GPGSV31112064283065104216483003243018*71 
'12''209''176''179''160''162''0'?'221'$GPGSV32111940071033635223361791117325*79 
'12' '221' '176''179''160''162''0'4'221'$GPGSV3311251023731081380702261*49 

'192''176''179''160''162''0'*'221'$GPRMC232354.755V150612N*4A 

’21’’176’’179’’255’’255’’255’'255’’255’’255’’255’’255’’255''255''255''255''255' 
'255''255''255''255''255''255''255''160''162''0''2''2''16''0''18''176''179''255 
''255''255''255''255''255''255''255''255''255''255''255''255''255''255''255''25 
5''255''255''255''160''162''0'0'221'$GPGGA232359.736000M0.0M0000*58 

'251''176''179''160''162''0'?'221'$GPGSV31112064283065104216483003243018*71 
'12''209''176''179''160''162''0'?'221'$GPGSV32111940071033635223361791117325*79 
’12’ '221''IIS''119' ’160’’162’'0'4'221'$GPGSV3311251023731081380702261*49 


'192''176''179''160''162''O'*'221'$GPRMC232359.736V150612N*42 
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"$GPGSV32111" 


• Google? 

• GPS related data 

• Nothing of interest 
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wuntee vs debug pins 

round 2: JP1 


• Same workflow as the first set of pins 




^■ 

Erased' *1' 'sectors 
Writing' 'to' 'Flash...' 'done 

' 'b_end' ’=BF3FFFFF 

Protecting' 'sectors' '9..9* 'in' 'bank' '1 
Protected' '1' 'sectors 

I I < II l 

3:' 'System' 'Boot' 'system' 'code' 'via' 'Flash.' 'boot_loc:0' '0xBF040000 
##' 'Booting* 'image' 'at' 'bf040000' '... 

..Verifying' 'Checksum* '...' 'OK 

.Uncompressing' 'Kernel' 'Image' '...' 'OK 

No' 'initrd 

##' 'Transferring' 'control' 'to' 'Linux' '(at' 'address' '802a0000)‘ '... 

##' 'Giving' 'linux' 'memsize* 'in' 'MB' '16 

Starting' 'kernel' '... 

\r\nLINUX* 'started...\r 

\n' 'THIS* 'IS' 'ASIC\r\nLinux* 'version' '2.6.21' '(perry@perry-pc)' '(gcc* 'version' '3.3.6)' '#47' ' 
Thu' 'Mar* '4* '16:17:18' 'CST* '2010\r 









































































































Winner: wuntee 


• Time was then spent attacking the 

operating system, but that will come later... 
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wuntee vs debug pins 

round 3: JP2, JP5, JP6 


• No show 

• Winner.... Draw? 
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wuntee vs debug pins 

round 4: PL2 

• Something different... 3 pins of data? 




SECURITY 
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SPI 


• Up to 100MHz - must increase sample rate 

• Master/slave with multiple slaves 

• Four lines 

• MOSI - Output 

• MISO - Input 

• Clock - Not like your typical metronome clock, but will be explained in the next 
point 

• Enable/Slave Select - Determine which slave the master is talking to 

• The clock operates in one of two modes, called CHPA, where the 
data on one of the lines (MOSI, or MISO) is "read" when the 
clock is changing from low to high, or high to low. So, if it's set 
up on low to high, when you see the line on the clock go from 
bottom to top, that is when the MOSI and MISO lines are read. 
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800 


CS alcac Logic 1.1.IS - [Connected] - lpl2.SOrnhz.2.logicduia] - ISO MHz. 10 6 Sample*] 

z : 


0-0 


uUuu Uu 


▼ Measurements 


wain *** 

Period: ### 
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999 
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wuntee vs debug pins 

round 5: PL1 


• No data? 

• However, the pins "scream JTAG" 
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JTAG 


JTAG pins, on their own, do not send any data. AKA - 
you will not see anything if you only have a logic analyzer 
connected 

There are 5 pins that must be connected in order to 
communicate with a device (VREF, TMS, TCK, TDO, TDI) 

The cable provides the clock signal to the board 
(presumably that's why there is no data on the pins on 
their own) 

Multiple chips can be "daisy chained" together. Meaning 
one JTAG plug/pin-out can communicate with multiple 
chips on a board 

Each chip that is connected in a JTAG chain is called a TAP 



Hardware/Software 



Olimex ARM-USB-OCD-H 
OpenOCD 





Discovery workflow 


1. If there is data on the pins, then its not 
JTAG 

2. If there is a known configuration for the 
pins, plug the JTAG up accordingly (as well 
as the 180 degree flip version as we do not 
know which is PINO) 

3. Power the device 

4. Start OpenOCD software. If it can discover 
TAPs, then you have a JTAG port 
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$ sudo ./openocd -f wuntee.cfg 

Open On-Chip Debugger 0.5.0 (2012-07-02-13:56) 

Licensed under GNU GPL v2 
For bug reports, read 

http://openocd.berlios.de/doc/doxygen/bugs.html 
Info : only one transport option; autoselect 'jtag' 

3000 kHz 

trst_and_srst separate srst_gates_jtag trst_j?ush_pull 

s rs t_open_drain 

RCLK - adaptive 

Info : device: 6 "2232H" 

Info : devicelD: 364511275 
Info : SerialNumber: OLUTHMH9A 

Info : Description: Olimex OpenOCD JTAG ARM-USB-OCD-H A 
Info : max TCK change to: 30000 kHz 
Info : RCLK (adaptive clock speed) 

Warn : There are no enabled taps. AUTO PROBING MIGHT NOT 
WORK! ! 

Warn : AUTO auto0.tap - use "jtag newtap autoO tap -expected-id 
0x02220093 ..." 

Warn : AUTO autoO.tap - use "... -irlen 2" 

Error: IR capture error at bit 2, saw 0x3FFFFFFFFFFFFFF5 not 
Ox. . .3 

Warn : Bypassing JTAG setup events due to errors 
Warn : gdb services need one or more targets defined 
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Must configure TAP 


• OpenOCD needs: 

• expected-id 

• irlen 

• ircapture 

• irmask 

• Googling the expected-id reveals this is the 
Xilinx chip 

• BSDL to the rescue... 
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attribute INSTRUCTION_LENGTH of XC3S400_BARE : entity is 
6 ; 

• • • 

attribute INSTRUCTION_CAPTURE of XC3S400_BARE : entity 
is 

-- Bit 5 is 1 when DONE is released (part of startup 
sequence) 

-- Bit 4 is 1 if house-cleaning is complete 

— Bit 3 is ISC_Enabled 

— Bit 2 is ISC_Done 

"XXXX01"; 
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$ sudo openocd -f probe.cfg 

Open On-Chip Debugger 0.6.0-dev-00603-g43863b6 
(2012-07-10-12:01) 

Licensed under GNU GPL v2 
For bug reports, read 

http://openocd.sourceforqe.net/doc/doxyqen/buqs.html 
Info : only one transport option; autoselect 'jtag' 

RCLK - adaptive 
3000 kHz 

trst_and_srst separate srst_gates_jtag trst_j?ush_pull 

srst_open_drain 

Info : clock speed 3000 kHz 

Info : JTAG tap: unkl.tap tap/device found: 0x02220093 (mfg: 
0x049, part: 0x2220, ver: 0x0) 

Warn : gdb services need one or more targets defined 


> jtag init 

Info : JTAG tap: unkl.tap tap/device found: 
0x02220093 (mfg: 0x049, part: 0x2220, ver: 0x0) 



SECURITY 
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Ok, now what? 


We can communicate with the Xilinx chip 
via JTAG, however that doesn't really give 
us much of anything... 

No flash 

No OS 

We can now, maybe, program the FPGA 
Winner: Debug Pins PL5! 
































































































































Software 
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wuntee vs software 
round 1: uboot 


Boots up to a login prompt, how do I do 
UBoot?! 

3v3 USB FTDI cable to pins for two way 
communication 

Initially I was starting the terminal session 
after the device started booting so I was 
not seeing the UBoot procedure 

After a while I saw a pause in the UBoot 
text... 



Ralink UBoot Version: 3.7.1 


ASIC 2150_MP2 (MAC to GigaMAC Mode) 

DRAM COMPONENT: 128Mbits 

DRAM BUS: 16BIT 

Total memory: 16 MBytes 

Date:Jan 7 2009 Time:12:26:56 


icache: sets:256, ways:4, linesz:32 ,total:32768 
dcache: sets:128, ways:4, linesz:32 ,total:16384 

##### The CPU freq = 384 MHZ #### 

SDRAM bus set to 16 bit 
SDRAM size =16 Mbytes 

Please choose the operation: 

1: Load system code to SDRAM via TFTP. 

2: Load system code then write to Flash via TFTP. 

3: Boot system code via Flash (default). 

4: Entr boot command line interface. 

9: Load Boot Loader code then write to Flash via TFTP. 
<PAUSE> 
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UBoot 


Press 4, and youre in the uboot prompt 
HELP 

MD - memory display 

MD + Screen + Ruby = Flash Dump 



Thank you ExploitWorkshop.org 


Ralink 

The full 4MiB File:MX.raw.bz2 dump. 


OxAOOOOOOO - OxCOOOOOOO 
0XA0A81000 
0xA0A82000 

OxfiOOOOOOO - 0XB0200000 
0XB0000500 
OxBOOOOCOO 

OxBFOOOOOO - 0XBF400000 
OxBFOOOOO - OxBFBOOOOO 
0xBF890000 - OxBFCOOOOO 
OxBFCOOOOO - OxCOOOOOOO 

OxBFCOOOOO - 0XBFC20000 


ksegl unmapped, uncached 
phytx ring, aize: 16 bytes 
phy rx ring, size: 16 bytes 
Ralink Registers 

serial8250: ttySO (irq = 37) is a 16550A 
serial8250: ttySl (irq * 12) is a 16550A 
MX flash device: 4MiB Flash (See OxBFCOOOOO) 

MX flash device: 4MiB Flash (See OxBFCOOOOO) 

MX flash device: 4MiB Flash (See OxBFCOOOOO) 

4MiB Flash (MX.rav.bz2) 

'Bootloader* 


OxBFCOOOOO - 0XBFC1EF67 U-Boot 

0XBFC1E2E4 - OxBFClESBl U-Boot default config 
0xBFC20000 - OxBFCiOOOO ’Config* 

0XBFC20000 - 0XBFC2031B 
0XBFC24000 - 0XBFC29923 
OxBFCiOOOO - 0XBFC40000 'Config 
0XBFC30000 - 0XBFC34E63 
OxBFCJBF2C - 0XBFC3BFFF 
0xBFC40000 - 0xBFE20000 ’Kernel 
0XBFC40000 - 0XBFDDCA76 
OxBFDEOOOO - 0xBFDF8A8b 
OxBFCOOOOO - 0XBFE16D6A 
0XBFE20000 - OxCOOOOOOO ’Kernel 
0XBFE20000 - 0XBFFBCA76 


OxBFFCOOOO - 0XBFFFFED9 


4d 

3b 

ac 

SO 

62 

03 

1 • 

92 

da 

de 

89 

03 

92 

da 

de 

88 

68 

b4 

00 

00 

10 

27 

05 

19 

56 

cO 

ea 

26 

a2 

8d 

fb 

8e 

98 

be 

lb 

ae 

27 

05 

19 

56 

cO 

38 

d6 

cd 

35 

b2 


6f (U-Boot config) 


(Kernel.extral 


’Linux Kernel Image*) 
- unidentified) 

• unidentified) 


56 cO 36 (U-Boot image: 'Linux Kernel Image’) 

38 d6 cd 35 b2 9a (Kernel2.extral - possibly lzma compressed squashfs) 
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md 


RT2150 # 
bfcOOOOO 
bfcOOOlO 
bfc00020 

• • • 

bfffffdO 

bfffffeO 

bffffffO 


md bfcOOOOO lOOOOOO 
lOOOOOff 00000000 lOOOOOfd 00000000 
10000219 00000000 10000217 00000000 
10000215 00000000 10000213 00000000 

ffffffff ffffffff ffffffff ffffffff 
ffffffff ffffffff ffffffff ffffffff 
ffffffff ffffffff ffffffff ffffffff 
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binwalk 


DECIMAL HEX DESCRIPTION 


38193 

53113 

262144 

0x80000000. 

262208 

2228224 

0x80000000. 

2228288 


0x9531 
0xCF79 
0x40000 
Entry Point: 
0x40040 
0x220000 
Entry Point: 
0x220040 


LZMA compressed data, properties: 0x80, dictionary size: 807469056 bytes, uncompressed size: 941686944 bytes 
LZMA compressed data, properties: 0x90, dictionary size: 46923776 bytes, uncompressed size: 36738 bytes 

ulmoge header, header size: 64 bytes, header CRC: 0xC0361020, created: Thu Mar 4 03:17:29 2010, image size: 1690167 bytes, Data Address: 

0x802A0000, data CRC: 0x70DC4C09, OS: Linux, CPI): MIPS, image type: OS Kernel Image, compression type: Izma, image none: Linux Kernel Image 

LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3681740 bytes 

ulmoge header, header size: 64 bytes, header CRC: 0xC0361020, created: Thu Mar 4 03:17:29 2010, image size: 1690167 bytes, Data Address: 

0x802A0000, data CRC: 0x70DC4C03, OS: Linux, CPI): MIPS, image type: OS Kernel Image, compression type: Izma, image none: Linux Kernel Image 

LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3681740 bytes 


mat 
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binwalk again... 


DECIMAL 


HEX 


DESCRIPTION 


43879 0xAB67 LZMA compressed data, properties 

43991 0xABD7 LZMA compressed data, properties 

44055 0xAC17 LZMA compressed data, properties 

48415 0xBDlF LZMA compressed data, properties 

211609 0X.33A99 LZMA compressed data, properties 

665349 0xA2705 LZMA compressed data, properties 

747221 0xB66D5 LZMA compressed data, properties 

1230829 0xl2C7ED LZMA compressed data, properties 

1321181 0xl428DD LZMA compressed data, properties 

1345045 0x148615 LZMA compressed data, properties 

1361573 0xl4C6A5 LZMA compressed data, properties 

2280645 0x22CCC5 LZMA compressed data, properties 

2352340 0x23E4D4 Squashfs filesystem, big endian, Izma compression, 

60944384 bytes, created: Sat May 10 19:23:31 2031 

2525762 0x268A42 Squashfs filesystem, big endian, Izma compression, 

4829336 bytes, created: Fri Aug 22 18:03:59 2031 

2625208 0x280EB8 Squashfs filesystem, big endian, Izma compression, 

695986 bytes, created: Fri Jan 23 08:15:17 2026 

2625220 0x280EC4 Squashfs filesystem, big endian, Izma compression, 

852601088 bytes, created: Mon Mar 30 20:46:26 1970 

2625232 0x280ED0 Squashfs filesystem, big endian, Izma compression, 


0x99, dictionary size: 604110848 bytes, uncompressed size: 134228624 bytes 

0xAl, dictionary size: 604110848 bytes, uncompressed size: 272695199 bytes 

0xB9, dictionary size: 604110848 bytes, uncompressed size: 134228727 bytes 

0x8D, dictionary size: 604176384 bytes, uncompressed size: 285409297 bytes 

0x98, dictionary size: 2883584 bytes, uncompressed size: 270602336 bytes 

0xB0, dictionary size: 4456448 bytes, uncompressed size: 539037760 bytes 

0x90, dictionary size: 3538944 bytes, uncompressed size: 5376 bytes 

0x90, dictionary size: 1507328 bytes, uncompressed size: 270602368 bytes 

0x98, dictionary size: 4718592 bytes, uncompressed size: 404820514 bytes 

0x98, dictionary size: 4718592 bytes, uncompressed size: 404820514 bytes 

0x98, dictionary size: 262144 bytes, uncompressed size: 4800 bytes 
0x80, dictionary size: 2686976 bytes, uncompressed size: 404821056 bytes 

version 10281.2560, size: 7304680684267074304 bytes, 1835097973 inodes, blocksize: 


16 


version 4598.1432, size: 969631157860134376 bytes, -737483663 inodes, blocksize: -175 
version 28001.24422, size: 7956861085501714028 bytes, 1835097973 inodes, blocksize: 7 
version 29556.25970, size: 7956861085501124449 bytes, 1835097961 inodes, blocksize: 1 
version 30062.29285, size: 8286623314368819041 bytes, 1835097958 inodes, blocksize: 1 


852601088 bytes, created: Thu Sep 14 23:24:48 2028 

2650332 0x2870DC L2MA compressed data, properties: 0x80, dictionary size: 536870912 bytes, uncompressed size: 8393935 bytes 

2690621 0x290E3D LZMA compressed data, properties: 0x00, dictionary size: 8388608 bytes, uncompressed size: 2129937 bytes 

27549% 0x2A09B4 Linux rev 0.0 ext2 filesystem data (mounted or unclean), UUID=1800bd27-e8ff-bd27-1000-bfaff9cc0a0c (huge files) 

2890204 0x2C19DC LZMA compressed data, properties: 0x98, dictionary size: 805306368 bytes, uncompressed size: 1 bytes 

2890224 0x2C19F0 LZMA compressed data, properties: 0x98, dictionary size: 805306368 bytes, uncompressed size: 1 bytes 

2899%8 0x2C4000 LZMA compressed data, properties: 0x5D, dictionary size: 1048576 bytes, uncompressed size: 2862592 bytes 




S E C u R 


T Y 
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cpio hell 


TV-VT*' 


fp 


07e791000002D10000AlFF000003£8a300eMS00O00O01< 
00?4B8 F&T 8*09000009^^ 1 ymm 

900£30000900 prxK07070l0&m:D4<mMlED0^^ 




ini tbi n/bus>4>o*07070100000^2000M IF D03003BF 8000003F 800390 






0000000000001500000000 usr/sbirv'setlogcons../. ./b;rvfcusyt>ox07070100000ZD?000081ED000003E8000003£8000000014B8FE<:8S00001D :: 8000000030000000100000000090000000000001500000000 
0@@?«»in/ipc_cUentELM?4 (44*^????*?ia*a4444040< # 01 l/1ib/ld-tiClibc.so.0????D>?§ 

?p?0?pppe 

S**** ! 

& " H)'(?POl?????O???>?t)?U)???Li)????l)???p0???LO???0??0\3 I ?@2l 

??@«0S» 


$ cpio -it -F lzma4.18 

/init 

/var 

/proc 

/usr 

/usr/sbin 

/usr/sbin/setlogcons 

/usr/sbin/ipc_client 

/usr/sbin/config_server 

/usr/sbin/cs_client 

/usr/sbin/telnetd 

/usr/sbin/udhcpd 

/usr/sbin/rmm_client 

/usr/sbin/chpasswd 

/usr/sbin/ipc_server 

/usr/bin 
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Reversing 


• Focus 

• sbin/*.sh 

• boot procedure 

• binaries using '_eval' 
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PICO CONFIG 


tamper_proof - this seems to be the 
configuration of the 'tamper' pins on the 
front and back of the board. One of the 
applications actually allows you to set the 
device in 'learn mode,' which presumably 
writes the current pin configuration. 

There looks like firmware images on a 
192.168.157.186 host 

There is a firewall node that resembles what 
is being seen at boot 



PICO CONFIG + IPtables boot 


[ firewall ]--[ pf ]--[ enable ]--[ 1 ] 

[ num ]--[ 3 ] 

[ 0 ]--[ proto ]--[ tcp ] 

[ port ] —[ 80 ] 

[ dstip ]--[ 192.168.157.186 ] 
[ 1 ]--[ proto ]--[ tcp ] 

[ port ] —[ 22 ] 

[ dstip ]--[ 192.168.157.186 ] 
[ 2 ]--[ proto ]--[ tcp ] 

[ port ]--[ 8080 ] 

[ dstip ]--[ 192.168.157.186 ] 
[ 3 ]--[ proto ]--[ tcp ] 

[ port ]--[ 20000 ] 

[ dstip ]--[ 192.168.157.186 ] 
[ enable ]--[ 1 ] 

[ snat ]--[ enable ]--[ 0 ] 

[ num ]--[ 0 ] 


[FW] [C]iptables -t nat -A PREROUTING -p tcp --dst 0.0.0.0 --dport 80 -j DNAT - 
192.168.157.186:80 

[FW] [C]iptables -t nat -A PREROUTING -p tcp --dst 0.0.0.0 --dport 22 -j DNAT - 
192.168.157.186:22 

[FW] [C]iptables -t nat -A PREROUTING -p tcp --dst 0.0.0.0 --dport 8080 -j DNAT 
192.168.157.186:8080 


to 

to 

--to 
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loc 412328: 


$J|, laMHM 

$4», (itinrd 48VA7B - RxtAaaaa) 

i*l, (duoid i*6 r ,n?0 Bw«6<.«?a)($ja) 

in, 8x4? BUB a 

in. • ax4?aaat) 

$b3, $sS 

$41, ixW'iMr lMjsp) 
ill, IiUmni' tn(S'.p) 
i*8, OxX«*ujr JM(i-.p) 
i(f, cs_e*w:uie_ld 

$19 ; Ci.rMcvte.U 

$q|l, iKtlMMr ?H($vp) 

I0C_4122S4 
$i2. 1 


a ~lpt*i>i»« -t »*t -a pre routing p *« <r. 


la 

$t9, cslog 

nop 


jalr 

$t9 ; cs_log 

nop 


lw 

$yp, 0x44O*uar_43O($bp) 

none 

$a9 t $s0 

la 

$a1, 8x4?600O 

nop 

addiu 

$a1, (aDeuNul 121 - 0x429000) 

la 

$t9, strcat 

nop 


jalr 

$19 ; itrcjl 

nop 


1 w 

$qp, ttx440^uar 430($%p) 

nop 

$Ul t 9X420009 

la 

nop 

addin 

$Ul t <aC - 0x420000) i 

addin 

$all, $fp, 0x449*uar 28 

none 

$a1 t $zero 

noop 

$a? f $zero 

noue 

$a3, $/eru 

la 

$U0, 0X420009 

nop 

addlu 

$uo, (ash - 9x420000) II "sh' 

sw 

$S0, 9x440*uar ?0($sp) 

su 

$u0, 9x440*uar 28($sp) 

sw 

$u1, 9x440*uar 24($sp) 

\10 

$/rra, 0x44O+u.ir_1C($sp) 

la 

$t9, eual 

nop 


jalr 

$t9 ; _eual 

nop 

$gp, 9x440*uar_430($sp) 

lw 

ltf 

$ra, 9x440+uar_8($sp) 

1« 

$S?, 0x440*uar 1H($ r .p) 

1» 

$s1 # 9x440*uar_14( $sp) 

In 

$s9, Bx440**uai 18($sp) 

noue 

$u0, $/ero 

Jr 

$ra 

addin 

$%p, 0X440 

It End 

of function cs_execute_id 




« ">/dpu/mi 11 7>t1* 


eval(sh -c [IPTABLES STRING] > /dev/null 2>&1) 


mat 
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uboot memory protect 


RT2150 # printenv 
bootcmd=tftp 
bootdelay=3 
baudrate=5 7600 
ethaddr="00:AA:BB:CC:DD:10" 
ipaddr=10.10.10.123 
serverip=10.10.10.3 
preboot=echo;echo 

ramargs=setenv bootargs root=/dev/ram rw 

addip=setenv bootargs $(bootargs) ip=$(ipaddr):$(serverip):$(gatewayip):$(netmask):$(hostname):$(netdev):off 

addmisc=setenv bootargs $(bootargs) console=ttyS0,$(baudrate) ethaddr=$(ethaddr) panic=l 

flash_self=run ramargs addip addmisc;bootm $(kernel_addr) $(ramdisk_addr) 

kernel_addr=BFC40000 

u-boot=u-boot.bin 

load=tftp 8A100000 $(u-boot) 

u_b=protect off l:0-l;era l:0-l;cp.b 8A100000 BC400000 $(filesize) 

loadfs=tftp 8A100000 root.cramfs 

u_fs=era bc540000 bc83ffff;cp.b 8A100000 BC540000 $(filesize) 

test_tftp=tftp 8A100000 root.cramfs;run test_tftp 

boot_loc=0 

backdoor=0 

manu f_te s t= 0 

fail_cnt=0 

stdin=serial 

stdout=serial 

stderr=serial 

ethact=EthO (10/100-M) 

Environment size: 829/65532 bytes 
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Wile waiting for a new 

microcell... 


• /etc/passwd - John The Ripper 

• Loading the kernel image 

• Reversing function table 


DECIMAL HEX DESCRIPTION 

2228224 0x220000 ulmage header, created: Thu Mar 

4 03:17:29 2010, image size: 1690167 bytes, Data Address: 
0x80000000, Entry Point: 0x802A0000, CRC: 0x70DC4C09, OS: Linux, 
CPU: MIPS, image type: OS Kernel Image, compression type: lzma, 
image name: Linux Kernel Image 
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Disassembly memory organization 


RAM 

0 Create RAM section 


RAM start address 

0x80000000 

▼ 

RAM size 

0x382DCC 

▼ 

ROM 

i Create ROM section i 


ROM start address 

0x0 

▼ 

ROM size 

0x382DCC 

▼ 

Input file 

Loading address 

0x80000000 

▼ 

File offset 

0x0 

▼ 


Loading size 0x382DCC ▼ 

Additional binary files can be loaded into the database using the 
Tile, Load file, Addtional binary file r command. 


OK 


Cancel 


I S3 1 Strings window 


Address 

Length 

Type 

▼ String 

RAM:8023... 

0000000F 

C 

blk_do_ordered 

"•••" RAM:8028... 

00000012 

C 

blk_dump_rq_flag$ 

RAM:8028... 

00000010 

c 

blk_end_sync_rq 

RAM:8028... 

0000000F 

c 

blk_execute_rq 

"•••" RAM:8023... 

00000016 

c 

blk_execute_rq_nowait 

RAM:8028... 

00000016 

c 

blk_execute_rq_nowait 

”•••" RAM:8028... 

0000000E 

c 

blk_free_tag$ 

"•••" RAM:8028... 

00000019 

c 

blk_get_backing_devJnfo 

RAM:8028... 

0000000E 

c 

blk_get_queue 

”•••" RAM:8028... 

00000010 

c 

blk_get_reque$t 

"•••" RAM:8028... 

0000000F 

c 

blk_init_queue 

RAM:8028... 

00000014 

c 

blk_init_queue_node 

RAM:8028... 

0000000E 

c 

blk_init_tags 

" " RAM:8028... 

00000013 

c 

blk_in$ert_request 

"•••" RAM:8028... 

00000010 

c 

blk_max_low_pfn 

“•••" RAM:8028... 

oooooooc 

c 

blk_max_pfn 

"•••" RAM:8028... 

00000010 

c 

blk_plug_device 

RAM:8023... 

00000010 

c 

blk_plug_device 

"•••" RAM:8028... 

0000000E 

c 

blk_put_queue 

"•••" RAM:8028... 

00000010 

c 

blk_put_request 

RAM:8027... 

00000011 

c 

blk_queue_bounce 


□ 






































Function Strings 


• Linked list of [string_mem_addr] 
[funciton_pointer] 

• Ruby to strip and create IDA script... 


||include <idc.idc> 

static main() { 


|MakeName( 

|MakeName( 

|MakeName( 

|MakeName( 

|MakeName( 

|MakeName( 

|MakeName( 

|MakeName( 

|MakeName( 

|MakeName( 

|MakeName( 

|MakeName( 

|MakeName( 

|MakeName( 


0x8028afc8, 
0x80383000, 
0x80383008, 
0x8028b4d4, 
0x80002clc, 
0x80004920, 
0x80384000, 
0x80004a2c, 
0x8038502c, 
0x80006390, 
0x8022a380, 
0x8022a4d8, 
0x80384040, 
0x80384274, 


'init_mm" ); 

*init_task" ); 
'system_state" ); 

'reset_devices" ); 
'loops_per_jiffy" ); 
*init_uts_ns" ); 

'get_surfboard_sysclk" ); 
'allocate_irqno" ); 

'free_irqno" ); 
'pm_power_off" ); 

'_up") ; 

'_down" ); 

'_down_interruptible" ); 

'cpu_data" ); 


Functions window 

•EH 

▼ Function name 

Segr * 

l3l local_flush_data_cache_page 

RAM 

*'l3l lock_rename 

RAM 

% l£ll locks_init_lock 

RAM 

% l3l lock$_mandatory_area 

RAM 

l3l malloc_si 2 es 

RAMN 

"'ijOl mark_page_accessed 

RAM 

% i2l memchr 

RAM 

TS.............. 

l3l memmove 

RAM 

'l2l memparse 

RAM 

% l3l memscan 

RAM 

% l2l memset 

RAM 

^lf)l mod_timer 

RAM 

% l£)l mpage_writepage 

RAM 

"'ijOl mutex_lock 

RAM 

l3l mutexjrylock 

RAM 

% l3l names_cachep 

RAM 

% l3l nobh_truncate_page 

RAM 
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memcpy 


• String at 0x8027CDE8 

• Does address exist anywhere else? (using 
search -> sequence of bytes in ida) 


08027CDE8| 

.byte 

0x6D 

# 

ID 

RAM:8 027CDE9 

.byte 

0x65 

tt 

e 

RAM:8 027CDEA 

.byte 

0x6D 

tt 

m 

RAM:8 027CDEB 

.byte 

0x63 

# 

c 

RAM:8 027CDEC 

.byte 

0x7 0 

tt 

P 

RAM:8 027CDED 

.byte 

0x79 

tt 

y 

RAM:8 027CDEE 

.byte 

0 



RAM:8 027CDEF 

.byte 

0 




RAM:80276288 

.byte 

0xC0 

tt 

+ 

RAM:8 0276289 

.byte 

0x08 

tt 

+ 

RAM:8027628A 

.byte 

0xF 



RAM:8 027628B 

.byte 

0X80 

tt 

5 

RAM:8 027628C 

.byte 

0xE8 

tt 

F 

RAM:8 02 7628D 

.byte 

OxCD 

tt 

- 

RAM : 8 027628E 

.byte 

0x27 

tt 

■ 

RAM : 8 02 7628F 

.byte 

0x80 

tt 


RAM:80276290 

.byte 

0X60 

tt 


RAM:80276291 

.byte 

OxCB 

tt 

- 

RAM:8 0276292 

.byte 

0xF 



RAM:80276293 

.byte 

0x8O 

tt 

5 
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Durring all of this work... 


• John had success... after 7 days 

• root/sshd = 7 character, lowercase a-z 

• GPL 
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GPL 


Where specific free/open source license terms (such as the GNU 
Lesser/General Public License) entitle you to the source code of such 
software, that source code will be available to you at cost from 
[COMPANY] for at least three years from the purchase date of your 
product. If you would like a copy on a CD of such open source code, 
upon written request and receipt of payment of $9.99 (to cover 
shipping and handling costs), [COMPANY] will mail to you a copy. 
Please send your written request and check payment (payable to 
[COMPANY]), together with your name, mailing address, email 
address and phone number to: 
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GPL 


DPH151_V1.0.25-5.tar.gz - This is the full build 
chain for the device that will allow you to build 
an image file for the device on Ubuntu OS. It 
contains a configuration file that allows full 
control of what applications are included in the 
final image. 

ip.access-AP-IPAI .0-3.zip - This seems to be 
source code for another (PICO) processor on the 
board. It does not contain a full build chain. It is 
just the source code for specific packages and 
patches, as well as the licenses for the 
associated packages. 



RALink Internals 


• Architecture - GPIO to boot pico, DHCPD 
192.168.157.185/30 

• IPTables - NATs 80, 22, 8080 to .186(pico) 

• ipcserver - Router/PICO IPC mechanism 

• wizard - Remote commands via multicast 

• cfg_flash - backdoor 
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